A Mirai-based botnet campaign known as Zerobot has resurfaced with renewed force, this time targeting critical flaws in Tenda AC1206 routers and the n8n workflow automation platform.
The campaign, now operating on its ninth known iteration — dubbed zerobotv9 — has been actively exploiting recently disclosed command injection vulnerabilities to spread malware across exposed networks and connected devices.
Zerobot first emerged in 2022, when security researchers documented its operations as a Go-based malware focused on IoT devices. The newer version, zerobotv9, is a notably different threat.
Unlike its predecessor, the latest variant is not written in Go — it is smaller in file size, UPX packed, and carries encrypted strings along with a hard-coded command and control (C2) domain of 0bot.qzz[.]io.
This evolution signals that Zerobot’s operators have been actively refining their tools over time.
Akamai researchers identified active exploitation attempts of these vulnerabilities in mid-January 2026, through the team’s global network of honeypots.
The campaign traces back to at least early December 2025, making this one of the first confirmed cases of active exploitation of these specific CVEs since their public disclosure in 2025.
The research was conducted by Kyle Lefton, a security researcher on Akamai’s SIRT with deep experience in threat research and cyber defense.
The two key vulnerabilities being exploited are CVE-2025-7544 and CVE-2025-68613. CVE-2025-7544, published in mid-July 2025, is a critical stack-based buffer overflow in the /goform/setMacFilterCfg endpoint of Tenda AC1206 devices running firmware version 15.03.06.23.
An attacker can trigger this flaw remotely by passing an oversized value through the deviceList parameter, enabling both denial-of-service (DoS) and remote code execution (RCE).
CVE-2025-68613, published in mid-December 2025, is a critical RCE vulnerability in n8n’s workflow expression evaluation system, affecting versions 0.211.0 through 1.22.0.
The absence of proper sandboxing allows attackers to run arbitrary code, steal API keys, access server files, and establish persistence.
What makes this campaign particularly alarming is its targeting of n8n alongside traditional IoT hardware. Botnets have historically gone after routers, cameras, and DVRs — not enterprise automation platforms.
Since many organizations rely on n8n to connect databases, automate data processing, and manage sensitive systems, a successful compromise could open serious pathways for lateral movement within an organization’s critical infrastructure.
Infection Mechanism and Payload Delivery
Once a vulnerable Tenda router or n8n instance is identified, Zerobot triggers the relevant exploit and forces the target device to download and execute a malicious shell script called tol.sh from a U.S.-based IP address (144.172.100.228).
This script copies busybox to the /tmp directory, assigns execution permissions, then fetches and runs the main Mirai malware payload — zerobotv9. The payload supports multiple CPU architectures, a common trait of Mirai-based downloaders built for broad device compatibility.
The exploit triggers the buffer overflow by passing 500 repeated characters through the deviceList parameter. The n8n attack sending commands via the workflow API to execute tol.sh and load the same payload.
The zerobotv9 binary embeds hard-coded user-agent strings that mimic legitimate browser traffic to blend in and avoid network detection.
The malware includes attack methods such as TCPXmas, Mixamp, SSH, and Discord — capabilities that exceed those of the original 2022 Zerobot variant.
The botnet was further observed targeting CVE-2017-9841, CVE-2021-3129, and CVE-2022-22947, using fallback connection techniques including netcat, socat, and Perl socket methods.
Organizations running Tenda AC1206 on firmware 15.03.06.23 should patch immediately or replace aging hardware.
n8n users must upgrade beyond version 1.22.0, restrict access to the workflow execution interface, and enforce strict user privilege controls.
Network defenders should block or monitor the known malicious IPs — 103.59.160.237, 140.233.190.96, 144.172.100.228, 172.86.123.179, and 216.126.227.101 — and the C2 domain 0bot.qzz[.]io.
Applying the YARA and Snort detection rules published by the Akamai SIRT will further help teams identify and respond to related activity across their networks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Zerobot Malware Exploiting Tenda Command Injection Vulnerabilities to Deploy Malware appeared first on Cyber Security News.
